Primitive Bear

Threat Actor Profile Updated 3 months ago
Download STIX
Preview STIX
Primitive Bear, also known as Gamaredon, UAC-0010, and Shuckworm, is a threat actor associated with Russia that has been actively targeting Ukraine for over a decade. This group has primarily focused on organizations within government, defense, and critical infrastructure sectors. Since our update in early February, Ukraine's cyber domain has experienced escalating threats from Russia. While there is no confirmed link to Primitive Bear, we anticipate an increase in malicious cyber activities in the coming weeks as the conflict between the countries evolves. In a keynote presentation at CPX 2024, Maya Horowitz, Vice President of Research at Check Point, highlighted that USBs were the primary infection vector for three major threat groups in 2023, including Russia's Primitive Bear. Despite the attention drawn by Russian deployment of wiper malware in late January, a report by Ukraine's State Cyber Protection Centre indicates that Primitive Bear's recent activity has maintained a more traditional focus on espionage and information theft rather than system destruction. The group's actions are generally associated with Russia's Federal Security Service (FSB). The ongoing attribution of these events underlines the complexity and evolving nature of the cybersecurity landscape. As the situation continues to develop, it's crucial to stay updated on the activities of threat actors like Primitive Bear to effectively manage and mitigate the risks they pose.
What's your take? (Question 1 of 5)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at.
IDVotesProfile Description
Gamaredon
4
Gamaredon, a Russian Advanced Persistent Threat (APT) group, has been actively tracked since 2013 and is recognized as a significant threat actor in the cybersecurity landscape. Its primary target is Ukraine, against which it deploys an array of home-brewed malware through malicious documents. The E
Trident Ursa
1
Trident Ursa, also known as Gamaredon, Shuckworm, Actinium, Armageddon, Primitive Bear, and UAC-0010, is a threat actor attributed to Russia's Federal Security Service by the Security Service of Ukraine. This group has been active since 2014, primarily focusing on Ukrainian entities such as governme
Shuckworm
1
Shuckworm, also known as Gamaredon, Primitive Bear, ACTINIUM, and Armageddon, is a threat actor associated with the Russian government. Operational since 2013, it has been primarily targeting Ukrainian entities across multiple sectors, including government, defense, and critical infrastructure. In J
Aqua Blizzard
1
Aqua Blizzard, previously known as ACTINIUM, is a significant threat actor originating from Russia. Recently, Microsoft revamped its naming convention for threat groups, transitioning from all-cap names based on atomic elements to a two-name scheme inspired by storm terminology. Aqua Blizzard has be
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Wiper
Apt
Ukraine
Russia
Malware
russian
Associated Malware
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
Stately TaurusUnspecified
1
Stately Taurus, also known as Mustang Panda, Bronze President, Red Delta, LuminousMoth, Earth Preta, and Camaro Dragon, is a potent malware linked to Chinese Advanced Persistent Threat (APT) activities. The first signs of its operation date back to at least 2012, with notable activity traced to Marc
Raspberry RobinUnspecified
1
Raspberry Robin is a sophisticated malware that has been designed to exploit and damage computer systems. This malicious software infiltrates the system through suspicious downloads, emails, or websites, often unbeknownst to the user. Once embedded, Raspberry Robin can steal personal information, di
Associated Threat Actors
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
Camaro DragonUnspecified
1
Camaro Dragon, a Chinese state-sponsored threat actor, has been identified as the source of several cyber attacks on European foreign affairs entities. Checkpoint Research has discovered and analyzed a custom firmware image affiliated with Camaro Dragon, which contained multiple malicious components
Associated Vulnerabilities
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
TildenUnspecified
1
None
Source Document References
Information about the Primitive Bear Threat Actor was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
SourceCreatedAtTitle
DARKReading
5 months ago
'The Weirdest Trend in Cybersecurity': Nation-States Returning to USBs
CERT-EU
8 months ago
Gamaredon's LittleDrifter USB malware spreads beyond Ukraine
MITRE
a year ago
Russia’s Gamaredon aka Primitive Bear APT Group Actively Targeting Ukraine
Unit42
a year ago
Russia’s Trident Ursa (aka Gamaredon APT) Cyber Conflict Operations Unwavering Since Invasion of Ukraine
CERT-EU
a year ago
Ukraine at D+343: Preparing for an attack on the war's anniversary.
CERT-EU
a year ago
Warnung vor russischem Bedrohungsakteur Gamaredon : Wie man sich vor der Cyber-Bedrohung schützen kann – Global Security Mag Online